[nsp-sec] Flows toward 80.168.92.133

Thu Nov 11 16:45:25 EST 2010

Hey, David.

We didn't have a lot of insight involving the victim, 80.168.92.133.

> Attack started yesterday (9th) at just before 19:00 UTC and subsided almost
> ten hours later at around 08:00 the following day (10th), there appeared to
> only be one main source, 159.84.211.5 which was on RENATER, the French NREN,
> I dropped a mail to certsvp at renater.fr yesterday but received no response
> (is there anybody on there from here? I can't imagine why it would take so
> long for a response team to respond!)

> Anyway, it started back up for an hour between 21:00 and 22:00 UTC in the
> evening (of the 10th) with the following sources as top talkers:
> 
> 1955    | 193.224.130.179  | HBONE-AS HUNGARNET

193.224.130.179 has been an open resolver since 2010-01, and as recently
as 2010-10-26 19:18:13 UTC.  It's certainly ripe use as an amplifier.

> 17506   | 221.252.11.218   | UCOM UCOM Corp.

Bupkes on 221.252.11.218.

> 4713    | 222.151.218.104  | OCN NTT Communications Corporation

We see 222.151.218.104 scanning for TCP 22 back on 2010-08-08 03:00:00 UTC.

> 4134    | 60.191.228.221   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 60.191.29.110    | CHINANET-BACKBONE No.31,Jin-rong Street

Bupkes on 60.191.228.221 and 60.191.29.110.

> 14141   | 66.71.246.250    | WIRESIX - WireSix, Inc.

We see 66.71.246.250 scanning for TCP 22 back on 2010-08-10 15:30:00
UTC.  Close to the dates of the scans from 222.151.218.104.  Hmm!

> 32181   | 69.65.42.217     | ASN-ECOMD-COLOQUEST - Ecomdevel, LLC
> 14141   | 98.142.209.156   | WIRESIX - WireSix, Inc.

Bupkes on 69.65.42.217 and 98.142.209.156.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15